Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why am I unable to fetch more then 1000000 records via a scheduled report from Splunk to email in a CSV?

rohitvjoshi
Path Finder
‎12-11-2018 08:19 PM

Hi Splukers ,

We have scheduled a report into get an email with CSV attachment for the everyday 6 AM.

My report is giving around 500000 records when i am running reporting manually into the Splunk server, as well as I am able to see all the records into .text format. However, the scheduled file i got into the mail is 50001 only.

I have already done all the necessary changes in/home/splunk/etc/system/local/limits.conf like below:

[scheduler]
max_action_results=100000000

[searchresults]
maxresultrows=100000000

As well $SPLUNK_HOME/etc/system/local/alert_actions.conf

[default]
maxresults = 100000000

Saved search for that report is already created so we have change the configuration in savedsearches.conf as well :

action.email.maxresults=100000000

After all the changes, we restarted the servers but still we are not getting all records into the email.

Please Suggest!!

Thanks
RJ

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

rohitvjoshi
Path Finder
‎12-13-2018 01:54 AM

Hi Splunkers,

we had find the solution for this thread.we have to add dispatch.max_count=10000000 in savedsearches.conf file under the index.Now we are getting 10000000 records in Email.

By Default dispatch.max_count is 50000.

Cheers!!

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

rohitvjoshi
Path Finder
‎12-13-2018 01:54 AM

Hi Splunkers,

we had find the solution for this thread.we have to add dispatch.max_count=10000000 in savedsearches.conf file under the index.Now we are getting 10000000 records in Email.

By Default dispatch.max_count is 50000.

Cheers!!

0 Karma
Reply
Solved! Jump to solution

whrg
Motivator
‎12-11-2018 11:49 PM

Hello @rohitvjoshi,

I found this similar question: How to overcome CSV max results to email?

Check out the accepted answer. Try the following change (and restart Splunk afterwards):

$SPLUNK_HOME/etc/system/local/alert_actions.conf
[default]
maxresults = 100000000

0 Karma
Reply
Solved! Jump to solution

rohitvjoshi
Path Finder
‎12-12-2018 02:05 AM

Thanks for your response!

we have already configured this configuration still we are not getting expected results.
we have to apply these changes in Search Head or Indexers.

0 Karma
Reply
Solved! Jump to solution

whrg
Motivator
‎12-12-2018 04:02 AM

I believe you have to apply it on the Search Head.

0 Karma
Reply
Solved! Jump to solution

rohitvjoshi
Path Finder
‎12-12-2018 03:55 PM

Yeah , I have applied these configurations in Search Head but still not working.

My Cluster do not have Minimum Hardware as recommended by Splunk , Is there any impact of hardware on this ??

Thanks In advance!

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...